0a30f2130ae316b2e838530db43a2b1fdc187f070199d03573531d8688c6eccf

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8415f2dcf8d9a9f6580b250abcf0e68.exe
Size

13KB
MD5

b8415f2dcf8d9a9f6580b250abcf0e68
SHA1

dbefda6a972730bca2f17e0fc468079ee21bc3d0
SHA256

0a30f2130ae316b2e838530db43a2b1fdc187f070199d03573531d8688c6eccf
SHA512

5b05bddf8d8f5b46eeaadf2af78622d830bc3606b3fa0aed3e636ef5031f35a16dd707af7bb94545f885396e8dc73d0703af0833fc54332c3dbd261662827aa9
SSDEEP

192:hJACzSxlKdsOWBNoKHD73ewHA5F9ZD2GBxzJlUu2k9iOtyKIv/99gO4:MCzSTmWBNRjTewgtdRxzJl/9TU9gd

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	docyanxk.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe
2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000a000000016b70-3.dat	upx
behavioral1/memory/2248-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2808-19-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\docyanxk.exe	b8415f2dcf8d9a9f6580b250abcf0e68.exe
File created	C:\Windows\SysWOW64\docyanx.dll	b8415f2dcf8d9a9f6580b250abcf0e68.exe
File created	C:\Windows\SysWOW64\docyanxk.exe	b8415f2dcf8d9a9f6580b250abcf0e68.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2248	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	28
PID 2808 wrote to memory of 2248	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	28
PID 2808 wrote to memory of 2248	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	28
PID 2808 wrote to memory of 2248	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	28
PID 2808 wrote to memory of 2484	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	29
PID 2808 wrote to memory of 2484	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	29
PID 2808 wrote to memory of 2484	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	29
PID 2808 wrote to memory of 2484	2808	b8415f2dcf8d9a9f6580b250abcf0e68.exe	29

C:\Users\Admin\AppData\Local\Temp\b8415f2dcf8d9a9f6580b250abcf0e68.exe
"C:\Users\Admin\AppData\Local\Temp\b8415f2dcf8d9a9f6580b250abcf0e68.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\docyanxk.exe
  C:\Windows\system32\docyanxk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\b8415f2dcf8d9a9f6580b250abcf0e68.exe.bat
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b8415f2dcf8d9a9f6580b250abcf0e68.exe.bat

Filesize
182B

MD5
5755ccae4eba71fd6688740f54b4065c

SHA1
5c9490becbcbb4c0a95f687366a67f8bcf6512d4

SHA256
b973e0fa0eda16f0b7939d2945d88a0a845d83787728d1f6fdf0b4bacfec7f74

SHA512
616ab3d8234572489112ad6db95b2d4c388685249e7037f98ef49e49de023e9e89268207ef52f7de16298d9526d65d9dde34257ffdae48a0acfe373aae17e459

Download Submit
\Windows\SysWOW64\docyanxk.exe

Filesize
13KB

MD5
b8415f2dcf8d9a9f6580b250abcf0e68

SHA1
dbefda6a972730bca2f17e0fc468079ee21bc3d0

SHA256
0a30f2130ae316b2e838530db43a2b1fdc187f070199d03573531d8688c6eccf

SHA512
5b05bddf8d8f5b46eeaadf2af78622d830bc3606b3fa0aed3e636ef5031f35a16dd707af7bb94545f885396e8dc73d0703af0833fc54332c3dbd261662827aa9

Download Submit
memory/2248-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2808-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2808-10-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2808-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download